PayPal's Venmo App Exposes Most Transactions Via Its API |
The vast majority of Venmo transactions are being logged in a public API accessible to anyone according to the recent investigation of a privacy advocate The reason this happens is because the Venmo apps default settings are set to Public for all users Unless users specifically change this value all the transactions they make via the Venmo money-sending app are logged and made available to anyone via the Venmo public API Data exposed via this API includes the first and last name of the sender and recipient Venmo avatars the date of the transaction a comment regarding the transaction transaction types and more Venmo API can be used to track peoples lives Hang Do Thi Duc the privacy advocate who discovered this issue says he used this privacy policy to query the Venmo API and download data on all of the companys 2017 public transactions 207 984 218 in total He also set up a website called Public by Default where he lists a few cases of interconnected Venmo payments creating profiles for some of the companys customers For example Duc tracked transactions related to a cannabis reseller a corn dealer a family random couples but also the story of a woman with 2 033 Venmo transactions Duc has also published visual instructions on how Venmo users could change the privacy of their profile from Public to Private The Venmo API is available here while users can also access this link to view the latest Venmo transaction recorded in the public API Problem known since 2016 Venmo is a US-only mobile payments app launched in 2009 Braintree bought Venmo in 2012 for 262 million while a year later PayPal bought Braintree for 800 million and now Venmo is an official PayPal subsidiary Ducs work is not the first of its kind as security researcher Dan Gorelick first warned of this issue back in October 2016 publishing a tutorial on how someone could mine the Venmo API for sensitive information